Install an external admission controller
I manage several k8s clusters and have been experimenting with LKE for a client. For the application I have several mutating admission controllers. One of these I run on a google cloud function endpoint for decrypting secrets using berglas.
On a GCP k8s or a self-managed cluster these instructions work fine: https://github.com/GoogleCloudPlatform/berglas/tree/main/examples/kubernetes. A GCP cloud function is deployed and that endpoint is used in a MutatingWebhookConfiguration as a clientConfig.url.
AFAICT this does not work. My cloud function never receives a AdmissionReview request from LKE.
So I pulled up my sleeves, and wrote some additional Go + helm to:
- use cert-manager to create a self-signed cert
- save cert to secret
- use cert-manager cainjector to inject the cert into the MutatingWebhookConfiguration
- create dockerfile + deployment for berglas admission mutation webhook
- attach the certificate secret to the berglas webhook deployment as a volume
- use the certificate to start a TLS webhook
- install the webhook into the LKE cluster
That works! So appears that using a clientConfig that targets an endpoint in the cluster-- that works fine. cert-manager and other apps do this, and I was able to get it to work myself. However, a clientConfig.url that targets an endpoint that is not inside the cluster and is hosted at an external location does not seem to work.
I didn't see any documentation on this, so this left me wondering if this behavior is expected.
1 Reply
watrick
Linode Staff
This sort of setup won't work on an LKE cluster, as the kube-apiserver will not be able to reach a service running external to the cluster.
A workaround is Hashicorp's Consul. That is very good at taking external (to the cluster) networking and bringing it inside the cluster.